Insurers could pay US$275 million to cover the insured portion of drugmaker Merck & Co's loss from a cyber attack in June, according to a forecast by Verisk Analytics Inc's Property Claim Services (PCS) unit.
Merck, however, has not disclosed the magnitude of its uninsured losses from the "NotPetya" attack, which disrupted production of some Merck medicines and vaccines.
The company was among dozens of firms worldwide hit in the June 27 attack, which began in Ukraine, then rapidly spread through corporate networks of multinationals with operations or suppliers in Eastern Europe.
"Merck has not yet fully quantified its losses, much less given any of its insurers an estimate of the total amount of those losses," Merck spokeswoman Claire Gillespie said in a statement.
She reiterated that Merck has insurance that would cover some costs, but declined to elaborate or say how much Merck expects to have to pay on its own.
The drugmaker said in July that it had suffered a worldwide disruption of its operations as a result of the malware. It was still in the process of restoring its manufacturing operations a month later.
Merck said then that it was confident it would be able to maintain a continuous supply of its top-selling and life-saving drugs, but warned of temporary delays in delivering some other products.
NotPetya is a destructive virus that spread quickly across computer networks, crippling computers by encrypting hard drives so that machines cannot run. The attacks caused massive disruptions to industrial networks that rely on computers because businesses must individually replace damaged drives, a labor-intensive process.
Cyber insurance can be expensive to buy and is not widely used outside the United States, with one insurer previously describing the cost as US$100,000 for US$10 million in data breach insurance.
Policies typically cover expenses stemming from a data breach, such as forensics and data restoration, among other costs. Coverage also helps pay for business interruption expenses when a breach or malware attack shuts down a company's website.
Some companies without cyber insurance have used their policies covering kidnap, ransom and extortion to recoup losses caused by ransomware viruses.
(Reporting by Michael Erman in New York and Noor Zainab Hussain in Bengaluru, additional reporting by Suzanne Barlyn; editing by Jim Finkle and G Crosse)